CN103270518A - Virtual machine validation - Google Patents

Virtual machine validation Download PDF

Info

Publication number
CN103270518A
CN103270518A CN2011800618386A CN201180061838A CN103270518A CN 103270518 A CN103270518 A CN 103270518A CN 2011800618386 A CN2011800618386 A CN 2011800618386A CN 201180061838 A CN201180061838 A CN 201180061838A CN 103270518 A CN103270518 A CN 103270518A
Authority
CN
China
Prior art keywords
trusted host
configuration data
data structure
requirement
host environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011800618386A
Other languages
Chinese (zh)
Other versions
CN103270518B (en
Inventor
J.W.沃尔克
C.W.詹姆斯
D.N.麦金托什
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN103270518A publication Critical patent/CN103270518A/en
Application granted granted Critical
Publication of CN103270518B publication Critical patent/CN103270518B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

A system, method, computer program product and computer program for providing validation of the compliance of a trusted host environment with a requirement of a virtual machine (VM), the system comprising: a store component for cryptographically storing configuration data associated with the trusted host environment in at least one cryptographic data structure; a send component, responsive to the store component storing the configuration data, for sending the at least one cryptographic data structure to a control component; an analyse component, responsive to the control component receiving the at least one cryptographic data structure, for analysing the at least one cryptographic data structure; a compare component, responsive to the analyse component determining the configuration data, for comparing the configuration data with the requirement; and a verify component, responsive to the compare component determining that the configuration data matches the requirement, for allowing verification of the VM.

Description

The virtual machine checking
Technical field
The present invention relates to the computer virtual machine.Especially, the present invention relates to the apparatus and method of the checking (validation) for virtual machine.
Background technology
Virtual machine (VM) is that the software of physical computer is realized.When the computer program that is designed to carry out at physical machine when VM carries out, carry out in a similar fashion.VM provides complete system platform to support operating system (OS) completely.Can use the different OS of each operation of different VM() the user between share physical machine.
Modern processor architecture has enabled Intel Virtualization Technology, and Intel Virtualization Technology allows a plurality of operating systems and VM to operate on the single physical machine.These technology are used supervisory routine (hypervisor) layer that runs directly on the physical hardware, and this supervisory routine layer is reconciled (mediate) to the visit of physical hardware by the virtual hardware layer being offered the operating system of moving in each virtual machine.This supervisory routine can be operated at physical machine in conjunction with " primary (native) VM ".Selectively, this supervisory routine can be combined in " VM of trustship " operating system on operating in physical machine of higher software levels operation and operate.
The example of VM technology has:
Figure BDA00003385406300011
Kernel-Based Virtual Machine(KVM), its allow one or more Linux or
Figure BDA00003385406300012
Virtual machine operates on the bottom Linux of operation KVM.
Xen, it allows client computer (virtualized) Linux to operate on the Linux.
Parallels, it allows Linux and Windows on Mac OS X.
VMWare, it allows Linux and Windows system on Mac OS X, Windows and linux system.
(Linux is that Linus Torvalds is in the U.S., other country or the two registered trademark.Microsoft and Windows are that Microsoft company is in the U.S., other country or both registered trademarks.)
Credible platform module (TPM) is the system that meets by the safety standard of credible calculating group (TCG) definition.It is implemented as the assembly of computer system of (cryptographic) key of the encryption that protection information is provided usually.TPM can also provide remote proving, and its feasible change to computer system can be detected by the side of being authorized to.TPM can realize with hardware, software or both combinations.
Virtual TPM (vTPM) provides TPM service to the VM that moves in supervisory routine.VTPM is defined as the TPM with the software realization---and it can offer anything with the TPM service, and is not VM.Run through between the lifetime of VM, even VM is transplanted to another physical machine from a physical machine, VM and related vTPM thereof are also kept safely.VTPM also must keep the security association of relative trusted computing base plinth.
VTPM can be hosted in the user's space among the VM, in the coprocessor of safety, or is hosted among its oneself the independent VM.
The VM that is deployed to data center can have a lot of requirements about its running environment.These requirements can comprise the type of hardware, or some the lower-level systems configuration outside VM sight line and the control.Such requirement can be stipulated in service level agreement (SLA), and can be formed the part of industrial regulations.When VM transplants, make that easily running counter to these one of requires between different system.When the keeper changed its system, they may not recognize the requirement of VM, run counter to requirement again in addition.
For having disposed for the system owner of VM at remote data center, it is very difficult that these requirements are satisfied in checking.Even can see the system owner of data center systems, find that still it is inconvenient that its requirement of checking is satisfied.
Although VM uses the benefit that expense is provided as the platform owner, the VM that needs protection avoids malicious attack.A kind of mode is to use believable (root), and such as hardware based credible platform module (TPM), its assessment operates in the integrality of all softwares on the platform, is included in the operating system, supervisory routine and the application that move among the VM.TPM allows remote proving (attestation) by the Hash of the digitally encryption of sign software assembly.In this context, " proof " means the evidence of the definite software/hardware component that guiding is provided; " checking " means proof, examines or its effect of Combination.
The situation that may run counter to service level agreement (SLA) is not taken precautions against in TPM and credible calculating.
Therefore, need to solve the shortcoming of known credible accounting system in the present technique.
Summary of the invention
From one side, the invention provides a kind of system of checking of the accordance be used to the requirement that trusted host environment and virtual machine (VM) are provided, this system comprises: memory module is used for encrypting the storage configuration data related with the trusted host environmental facies at least one ciphered data structure; Sending assembly is stored described configuration data in response to described memory module, is used for described at least one ciphered data structure is sent to Control Component; Analytic unit receives described at least one ciphered data structure in response to described Control Component, is used for analyzing described at least one ciphered data structure; Comparing component is determined described configuration data in response to described analytic unit, is used for described configuration data is compared with requirement; And examine assembly, and determine that in response to described comparing component described configuration data mates described requirement, be used for admitting described VM examining at the trusted host environment.
Preferably, the invention provides a kind of system, the wherein said component responds of examining is determined the described requirement that do not match of described configuration data in described comparing component, also can operate for denying described VM examining at the trusted host environment.
Preferably, the invention provides a kind of system, wherein said memory module is supervisory routine; Wherein said at least one ciphered data structure is at least one platform configuration register (PCR); Wherein said at least one ciphered data structure is related with another trusted host environmental facies of described VM; Wherein said trusted host environment comprises credible platform module; And wherein said system also comprises first server that comprises the trusted host environment and the second server that comprises Control Component.
From second aspect, the invention provides a kind of method of checking of the accordance be used to the requirement that trusted host environment and virtual machine (VM) are provided, the method comprising the steps of: encrypt the storage configuration data related with the trusted host environmental facies at least one ciphered data structure; In response to the step of store configuration data, described at least one ciphered data structure is sent to Control Component; In response to the step that receives at least one ciphered data structure, analyze described at least one ciphered data structure; In response to the step of determining described configuration data, described configuration data is compared with requirement; And in response to determining that described configuration data mates the step of described requirement, admits the checking of described VM in the trusted host environment.
Preferably, the invention provides a kind of method, wherein said method also comprises, in response to determining the do not match step of described requirement of described configuration data, denies the checking of described VM in the trusted host environment.
Preferably, the invention provides a kind of method, wherein said step of encrypting the storage configuration data related with the trusted host environmental facies at least one ciphered data structure is included at least one platform configuration register (PCR) step of the related configuration data of cryptographically storage and trusted host environmental facies; Wherein this method also comprises described at least one ciphered data structure step related with another trusted host environmental facies of VM; Wherein said trusted host environment comprises credible platform module; And wherein said method also comprises to be provided first server that comprises the trusted host environment and the second server that comprises described Control Component is provided.
From another aspect, the invention provides a kind of computer program of checking of the accordance be used to the requirement that trusted host environment and virtual machine (VM) are provided, this computer program comprises: computer-readable recording medium can read and store for the method for being carried out step of the present invention by treatment circuit by treatment circuit.
From another aspect, the invention provides a kind of computer program that is stored on the computer-readable medium and can be written into the internal storage of digital machine, comprise the software code part, when described program is moved on computers, be used for carrying out method of the present invention.
Advantageously, the invention provides and a kind ofly allow the owner of system to use the long-range method that its requirement is satisfied of examining.The present invention expands to the more than VM software configuration of report with the use of virtual credible platform module (vTPM).
Advantageously, the existing long-range method of examining still can use the trusted bootstrap (Boot) of system to carry out, and can be sure of that therefore it is moving known and believable software configuration.
Advantageously, the VM owner also can be used for being used and the environmental requirement of check system by system supervisor by keeping platform configuration register (PCR).Supervisory routine has direct control below virtual machine and to the hardware of system.This supervisory routine is in report and is used for the system state of VM environmental requirement and the optimum position of configuration.Because vTPM equipment is virtual and is written into from supervisory routine, this solution allows supervisory routine that one or more PCR are set to reflect environment.When VM was moving and examining execution, the VM owner can see the state of environment and therefore check that its requirement is satisfied by PCR.Advantageously, the possessory owner of VM can the check system setting when it only has the visit of the VM that system is moved.
Advantageously, vTPM and supervisory routine communicate with one another.Distribute one or more PCR to be used for the tolerance of storage VM project beyond the invisible.Advantageously, the assembly below the VM cooperates the interested project of tolerance and this tolerance is propagated among one or more PCR of vTPM.Long-range examining also can be with respect to one or more PCR of policy validation distribution.When VM was proved to be, it not only reported the state of the software that is directed, and also reported some information of the server that relevant VM moves thereon.
Advantageously, thus can expand known instrument allow the proof feature for example to comprise the authentication functionality of PCR8 meets environmental requirement to guarantee system, such as " dev " user of elasticity service processor (FSP).This makes the management of a lot of VM with such requirement become easy.FSP resides in
Figure BDA00003385406300041
Small-sized control computer system in the system.(IBM and POWER6 are that International Business Machine Corporation (IBM) is at the U.S., other country or both trade marks.)
For the current state of technology, VM can't be to such configuration inspection FSP.But the present invention's head it off because FSP, supervisory routine and vTPM all are connected and can measure each other, is reported this tolerance via the PCR that distributes then.
Advantageously, utilize the service level agreement (SLA) on the CPU (central processing unit) (CPU) that requires its VM to operate in particular type, data and the proof such via the PCR report are valuable to the consumer.Proof and examining subsequently can help proof SLA to be satisfied, if when particularly VM is transplanted to another physical system at any time.
Advantageously, but VM owner check system setting when it only has visit to the VM that moves in system.Be allocated for stored items tolerance PCR at VM beyond the invisible.Assembly below the VM cooperates to measure interested project and this tolerance is propagated among the PCR of vTPM, for example vTPM and the supervisory routine by communicating with one another.Proving and examine can be with respect to the PCR of policy validation distribution.
Description of drawings
Now with reference to as with the preferred embodiment shown in figure below, only in the mode of example the present invention is described.
Fig. 1 is the block diagram of describing according to the data handling system of prior art, can realize the preferred embodiments of the present invention in this data handling system;
Fig. 2 is the block diagram of describing according to two physical servers of prior art, can realize the preferred embodiments of the present invention in this physical server;
Fig. 3 is the senior exemplary schematic flow diagram of method of operating step of describing according to a preferred embodiment of the invention, be used for providing the trust data of virtual machine (VM);
Fig. 4 is the senior exemplary schematic flow diagram of method of operating step of checking of accordance of describing according to a preferred embodiment of the invention, be used for providing the requirement of trusted host environment and VM;
Fig. 5 is the block diagram of describing platform configuration register (PCR) according to a preferred embodiment of the invention;
Fig. 6 is the block diagram of describing server according to a preferred embodiment of the invention; And
Fig. 7 be describe according to a preferred embodiment of the invention, can be at the block diagram of the control program of operating with the workstation of server communication.
Embodiment
Fig. 1 is the block diagram of describing according to the data handling system 100 of prior art, can realize the preferred embodiments of the present invention in this data handling system 100.This data handling system comprises workstation 120 and server 150,160.Workstation 120 can be connected by network 110 with server 150,160.
Server 150 comprises two virtual machines (VM) 152 and 156 that moving different operating system.Using 154 and 158 can be respectively in VM152 and 156 operation.Server 160 comprises a VM166.Using 168 can operate at VM166.User 114 by with workstation 120 on applications client program 134 interactive accesses use 154,158,166.Keeper 114 is by controlling data handling systems 100 at the control program 118 of workstation 120 operations.
Fig. 2 describes according to two servers 150 of prior art and 160 block diagram, can realize the preferred embodiments of the present invention in described server.Supervisory routine 256 can be operated at the physical hardware 252 of physical server 150, and allows primary VM152 and 156 to move on supervisory routine 256.VM152 and 156 each be isolated from each other, and can just operate in the whole operation system and operating as them.Supervisory routine 256 is to each VM152 and 156 simulation hardwares, thereby make that when VM152 and 156 wishes its virtualized hardware devices of visit (for example, Ethernet card, small computer system interface (SCSI) controller) supervisory routine 256 intercepts these instructions and is converted into visit to physical hardware 250.
Operating system (OS) 264 can be in physical hardware 262 operations of physical server 260.Supervisory routine 266 can be operated at OS264.Client VM166 can be in supervisory routine 266 operations.VM280 can operate at OS264.
System's translater (ST) the 268th in different ISA systems (for example allows to be designed to the total system (OS264 and application 154,158) of an instruction set architecture (ISA) (for example, Sun SPARC)
Figure BDA00003385406300061
The component software of last operation.(IBM and POWER6 are that International Business Machine Corporation (IBM) is at the U.S., other country or both trade marks.) layer of ST268 conduct between VM280 and physical hardware 262.
As described in Figure 2, ST268 can operate in the operating system (not shown) in client VM280.In this case, OS264 and user space program start, and it provides system's interpretative function.ST268 provides and supervisory routine 256,266 pairs of similar services that a plurality of VM152,156 that operate on the physical machine 150,160 provide single VM280.ST268 is with the mode simulation hardware identical with supervisory routine 256,266, but is used for the hardware of different frameworks.In addition, the instruction of ST268 translation VM280 expectation execution.System's translater uses binary translation so that machine instruction is transformed into another ISA from an ISA usually.Also use simulation hardware, thereby make the emulation entire machine, and the not operation of total system reflection with changing.
In an optional embodiment, ST268 can be used as the part operation of supervisory routine 266.In an optional embodiment, ST268 can be directly in supervisory routine 266 operations.In this embodiment, ST268 operates as the OS of operation in VM152,156,166 and 280.In an optional embodiment: ST268 can operate in primary OS264; As the layer on the primary OS264; Or VM152,156,166,280 and physical hardware 252,262 between the layer.
The function of ST268 in normal running comprises interpretive order and simulation hardware.Interpretive order uses binary translation to carry out by the needed instruction of VM280 at different physical structures.The emulation of hardware provides a kind of mechanism of the hardware that exists by the OS expection of its emulation translation.It comprises for example network interface card, Memory Controller, interruptable controller, ROM (read-only memory) (ROM) and random-access memory (ram).
Fig. 3 (should read in conjunction with Fig. 4,5,6 and 7) is the senior exemplary schematic flow diagram 300 of method of operating step of describing according to a preferred embodiment of the invention, be used for providing the trust data of virtual machine (VM).Fig. 4 is the senior exemplary schematic flow diagram 400 of method of operating step of describing according to a preferred embodiment of the invention, be used for providing the checking that requires 720 accordance of trusted host environment and VM.Fig. 5 is the block diagram of describing platform configuration register (PCR) 505,555 according to a preferred embodiment of the invention.Fig. 6 is the block diagram 600 of describing server 150 according to a preferred embodiment of the invention.Fig. 7 be describe according to a preferred embodiment of the invention, can be at the block diagram of the control program 118 of the workstation of communicating by letter with server 150 120 operations.
To use IBM POWER6 virtualization architecture only to describe the present invention as example.It should be appreciated by those skilled in the art that the present invention can similarly be applied to other virtualization architecture.
As setting forth example of the present invention, remote proving is concerned about the state that whether has enabled " sample " user account at the bottom server.It should be appreciated by those skilled in the art that remote proving can be concerned about the item of information of any amount of relevant bottom server.For example, can report other configuration flag via the mechanism that the present invention describes, such as debugging mode, dump pattern, fault flag, firmware version, hardware setting and more mark.
This method starts from step 301, and electric power is applied to server 150.In step 305, basic input/output (BIOS) starts the hardware 620 of (bring up) server 150.Server 150 also comprises nonvolatile memory (NVRAM) 630, wherein resident code 635 and the configuration 635 that is useful on supervisory routine (being also referred to as PHYP) 645.The small-sized control department of computer science that resides in the POWER system is referred to as elasticity service processor (FSP) 605.This FSP605 control NVRAM630, and be responsible for using loader code 610 to be written into and upgrade supervisory routine 645.That the control of supervisory routine 645 and renewal are considered to is restricted the renewal of Applied Digital signature (can only), so the trust that supervisory routine 645 is considered to credible core root (CRT) forms part.In step 310, be written into supervisory routine code 635, and start supervisory routine 645 at server 150.
When starting server 150, start credible platform module (TPM) and handle 315, recording events in host data base 622, and in one group of PCR505 in TPM628 the result of the tolerance of storage encryption.TPM628 is stored in the position of safety on the server hardware 620.Trusted bootstrap is for the process at computing system guiding and the chain that breaks the wall of mistrust.Use TPM to handle 315, the tolerance that the assembly of guiding can be encrypted, and result's encryption is stored among the PCR505 of TPM628.PCR505 is initialization when powering up, and uses spread function to revise.Each directing assembly is measured next directing assembly by calculating the cryptographic hash of the array of bytes that represents next directing assembly.What consequent value was encrypted links together with existing PCR505.Finish in case start, the last group of PCR505 represents trust chain.In case system moves, can use remote proving process (for example directly anonymity proof of the DAA(in the control program 118) by remote system) extract trust chain for checking.The value of PCR505 is used for determining whether server is credible.Exist to make the PCR extension process by the process of whole boot process, comprise that for example BIOS, guiding loader (for example supervisory routine is written into), any primary operating system (OS) 264 start and any native applications starts.Fig. 5 has described the one group of exemplary PCR505 that illustrates for the position that starts the different cryptographic hash of handling.For example, PCR_0 comprises the cryptographic hash that is used for the believable core root (CRTM) of tolerance in the field 510.CRTM represents the BIOS boot block code, and is considered to credible forever.
In step 320, supervisory routine starts one of a plurality of VM152.NVRAM630 also comprises virtual credible platform module (vTPM) code 640.Among the VM152,156 each operates on the supervisory routine 645, and the vTPM555 that is associated allows VM152,156 to carry out trusted bootstrap and remote proving subsequently.In step 325, vTPM code 640 is written into.VM152 will start logout in VM database 665, and set up one group of virtual PCR(vPCR between its starting period in its vTPM655).Similar with the startup of starter system in the step 305,310 and 315, component software is written into (in step 330), following component encrypts tolerance (in step 335), and the result is stored among the vPCR555.In step 345, make definite that whether VM152 has been activated fully.If also have more assembly to be written into, then step 330 is returned in control.More assembly can comprise uses 154,158 and 168.In a preferred embodiment, the responsibility of renewal vPCR555 is delivered to supervisory routine 645.In optional embodiment, VM152 upgrades its vPCR555.In this example, have eight grades because VM152 starts, so vPCR_0 to vPCR_7 is updated.
VTPM can be stored in each position.In a preferred embodiment, each VM152,156 its vTPM655 that oneself are associated of control.In optional embodiment, all vTPM655 are by management VM control, and visit is routed to suitable vTPM655 from the VM152,156 of correspondence.It should be appreciated by those skilled in the art that to provide many different frameworks to control vTPM655.
If there is not more assembly to be written into, VM152 starts, and control proceeds to step 350.In step 350, supervisory routine 645 is allowed the visit to vPCR_8565.VPCR_8565 is not used by step 320.In step 355, the hash function of the Secure Hash Algorithm of "/etc/passd " file of FSP605 record server 150-1(SHA-1), it has known tolerance in default configuration.It will be appreciated by those skilled in the art that the cryptographic algorithm that to use other.In step 360, FSP605 and supervisory routine 645 common (collude) transmit this and measure to use Hash expansion PCR_8565.The identified PCR565 that goes out to preserve the configuration data related with the trusted host environmental facies is retained and only is used for this use.In step 365, guarantee that the visit to vTPM is safe, to guarantee not have the casual visit of its trustworthiness of entail dangers to.
In an optional embodiment, supervisory routine 645 is recording system information in more than vPCR position of not used by VM setting up procedure 320.
In step 370, if existence to any renewal of "/etc/passwd " file of server 150, is controlled and got back to step 350.For example, 114 couples of FSP605 of keeper change, and enable " dev " user account.The SHA-1 Hash of "/etc/passwd " file becomes another given value.In this embodiment, supervisory routine 645 order vTPM655 use new tolerance to expand PCR_8565 again, and order VM152 is recorded in this renewal in the virtual data base 665, thereby gives PCR_8565 reflection FSP "/etc/passwd " yet unique known and predictable value state, new of file.
In step 399, this method proceeds to the verification method of Fig. 4.
In step 405, control program 118 receives request, to carry out the remote proving to VM152.In step 410, control program 118 requests are to the visit of VM152.In step 415, between the Terminal Server Client 755 of the long-range pipe person device 735 of control program 118 and VM152 encrypted key exchange takes place, thereby guarantee that this control program 118 is authorized to visit VM152.
In step 420, VM152 sends message 780 to control program 118.Message 780 comprises first value 782 corresponding with the value among the PCR_0 to PCR_7, second value 784 that is used for PCR_8565, the particulars 786 of first event corresponding with the startup of VM152, and the particulars of second event 788 corresponding with the record of "/etc/passwd " file value.In step 425, control program 118 receives message 780.In step 430, analytic unit 715 is analyzed message 780, to determine first value, 782, second value 784, first event detail 786 and second event detail 788.First and second values 782,784 and first and second event details 786,788 are stored in the control program database 730.In step 435, replay component 710 uses first event detail 786 to simulate first event, to set up the one group PCR value 714 corresponding with first event that simulated.Replay component 710 also uses second event detail 786 to simulate second event, to set up the PCR value 716 corresponding with second event that simulated.
The PCR value is unique for the group of the event of being moved the value of generation.Simulation to similar events as always causes identical PCR group as a result.Simulation to different event always causes different PCR group as a result.Whether therefore, can use the described event of relatively coming to determine at the PCR result of two groups of events is identical.If described event is not identical, then this can indicate one group to be distorted, and therefore this system is insincere.
In step 440, first that comparing component 725 will receive from VM152, corresponding with the PCR_0 to PCR_7 of the PCR555 value 782 compares with the group 714 of PCR value.Second that comparing component 725 also will receive from VM152, corresponding with the PCR_8565 of the PCR555 value 784 compares with the group 716 of PCR value.In step 445, first value 782 of expection if the group 712 of PCR value does not match, then system is insincere, and method moves to step 470.In step 470, keeper 114 takes any action of being associated with insincere system, for example, and forbidding VM152.
Alternatively, first value 782 of expection if the group 714 of PCR value does not match, then system can be with good conditionsi believable, and method moves to step 450.In step 450, tolerance second value 784.If second value 784 is zero, then its indication does not arrange system value, and this system is credible, and control forwards step 475 to.In step 475, the keeper takes any action of being associated with trusted system, and for example, the record result is used for audit (audit) purpose.If second value 784 is non-zero, then its indication has been provided with system value, and control forwards step 455 to.
In step 455, control program 118 is written into and requires 720 also to calculate corresponding secret value.In step 460, comparing component 725 compares secret value and second value 784.Mate this secret value and second value, 784 indication mechanisms 150 meet the demands 720.In step 465, if secret value coupling second value 784 then require 720 to be satisfied, and control forwards step 480 to.In step 480, the satisfactory state of known VM152 calls and examines assembly 728, and any action by carrying out being associated with the satisfactory state of VM152, admit in the trusted host environment, to satisfy examining that SLA requires, described action such as but not limited to outcome record in record of the audit.Yet second value 784 if secret value does not match requires 720 not to be satisfied, and control forwards step 485 to.In step 485, the dissatisfied state of known VM152 calls and examines assembly 728, and by carrying out and failing to satisfy the action that SLA requires to be associated and deny checking.For example, in step 485, if 114 couples of FSP605 of keeper change, enable " dev " user account, but exist must forbid that " dev " move VM152 require 720, then the result as remote proving can take action, for example, forbidding " dev " user account.This takes place when VM152 moves, thereby any proof demonstration of carrying out has enabled FSP " dev " user and do not rebooted VM152.
This method finishes to finish in step 499.
In an optional embodiment, measure more environment and configuration project and report to remote proving via vPCR555.
In an optional embodiment, supervisory routine 645 is not only reported user account in lower system.The actual disposition (for example, CPU (central processing unit) (CPU) identification number (ID), type, speed, memory space, hardware sequence number) that the useful project that can be measured is hardware.
In an optional embodiment, supervisory routine 645 report version or patch level, it can for example prove has used some safe maintenance.
In an optional embodiment of the present invention, this method is used to be safeguarded by system's translater and upgrade as the system architecture described in Fig. 2: vTPM, rather than undertaken by supervisory routine, perhaps is combined with supervisory routine and carries out.
In a preferred embodiment of the invention, this method can also be used when VM152,156 is transplanted to second server 160 from first server 150.At the VM152 of VM152,156(and transplanting, 156 vTPM655) transplanting after, operate in supervisory routine 645 on the second server 160 and use system value expansion PCR_8565 from second server 160.
In a preferred embodiment, supervisory routine 645 is served as memory module and cryptographically is stored at least one enciphered data structure with configuration data that will be related with the trusted host environmental facies.In an optional embodiment, this memory module comprises another assembly of VM152 outside, among its PCR555 with the vTPM655 that configuration data is stored in VM152 of communicating by letter with VM152.
Reference has been described each aspect of the present invention according to flowchart illustrations and/or the block diagram of method, device (system) and the computer program of the embodiment of the invention.To understand: can realize the combination of each piece and the piece in described flowchart illustrations and/or the block diagram of described flowchart illustrations and/or block diagram by computer program instructions.These computer program instructions can be offered the processor of multi-purpose computer, special purpose computer or other programmable data treating apparatus in order to produce machine, the parts for the function/action of one or more appointments that are implemented in described process flow diagram and/or block diagram are created in the feasible instruction of carrying out via the processor of described computing machine or other programmable data treating apparatus.
As the skilled person will recognize, can be used as system, method or computer program and specialize each aspect of the present invention.Therefore, each aspect of the present invention can take the form of the form of devices at full hardware embodiment, full software embodiment (comprising firmware, resident software, microcode etc.) or here all can be commonly referred to as " circuit ", " module " or " system " combination the form of embodiment of software and hardware aspect.In addition, each aspect of the present invention can be taked the form of computer program specific in one or more computer-readable mediums, and specializing on the described computer-readable medium has computer readable program code.
Can use any combination of one or more computer-readable mediums.This computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer-readable recording medium for example can be but be not limited to electronics, magnetic, light, electromagnetism, infrared or semiconductor system, device or equipment, perhaps aforementioned every any appropriate combination.The how concrete example of computer-readable recording medium (non-exhaustive is enumerated) comprises the following: electrical connection, portable computer diskette, hard disk, random-access memory (ram), ROM (read-only memory) (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory), optical fiber, portable compact disc ROM (read-only memory) (CD-ROM), light storage device, magnetic storage apparatus or aforementioned every any appropriate combination with one or more lead.In the context of this document, computer-readable recording medium can be any tangible medium that can comprise or store the instruction of being used or being used in conjunction with described instruction execution system, device or equipment by instruction execution system, device or equipment.
The computer-readable signal media can be included in the base band or as the data-signal of the propagation of the part of carrier wave, wherein specialize computer readable program code in the data-signal of this propagation.The signal of this propagation can adopt any one in the various forms, includes but not limited to electromagnetism, light or any above suitable combination.The computer-readable signal media can be not be computer-readable recording medium, but can send, propagate or transmit for any computer-readable medium by instruction execution system, device or equipment use or the program that is used in combination with it.
Can use any suitable medium to be transmitted in the program that comprises on the computer-readable medium, that described medium includes but not limited to is wireless, wired, Connectorized fiber optic cabling, RF etc., perhaps the former any suitable combination
The computer program code that is used for the operation of execution each aspect of the present invention can be write with any combination of one or more programming languages, and described programming language comprises: Object-Oriented Programming Language, for example Java, Smalltalk, C++ etc.; And traditional process programming language, for example " C " programming language or similar programming language.This program code can be carried out in user's computer fully, partly carries out in user's computer, carry out, partly carries out or carry out at remote computer or server fully at remote computer on user's computer and partly as the stand alone software bag.In one scene of back, remote computer can be by comprising Local Area Network or wide area network (WAN) the network connection of any kind to user's computer, perhaps can (for example, use the ISP to pass through the Internet) and be connected to outer computer.
For fear of query, term " comprises ", uses as running through instructions and claim herein, be not interpreted as " only by ... form ".

Claims (16)

1. the system of the checking of the accordance of a requirement that is used for providing trusted host environment and virtual machine (VM), this system comprises:
Memory module is used for encrypting the storage configuration data related with the trusted host environmental facies at least one ciphered data structure;
Sending assembly is stored described configuration data in response to described memory module, is used for described at least one ciphered data structure is sent to Control Component;
Analytic unit receives described at least one ciphered data structure in response to described Control Component, is used for analyzing described at least one ciphered data structure;
Comparing component is determined described configuration data in response to described analytic unit, is used for described configuration data is compared with requirement; And
Examine assembly, determine that in response to described comparing component described configuration data mates described requirement, be used for admitting described VM examining at the trusted host environment.
2. system according to claim 1, the wherein said component responds of examining is determined the described requirement that do not match of described configuration data in described comparing component, also can operate for denying described VM examining at the trusted host environment.
3. according to the described system of aforementioned arbitrary claim, wherein said memory module is supervisory routine.
4. according to the described system of above arbitrary claim, wherein said memory module is communicated by letter with described VM.
5. according to the described system of aforementioned arbitrary claim, wherein said at least one ciphered data structure is at least one platform configuration register (PCR).
6. according to the described system of aforementioned arbitrary claim, wherein said at least one ciphered data structure is related with another trusted host environmental facies of described VM.
7. according to the described system of above-mentioned arbitrary claim, wherein said trusted host environment comprises credible platform module.
8. according to the described system of above-mentioned arbitrary claim, wherein said system also comprises first server that comprises the trusted host environment and the second server that comprises Control Component.
9. the method for the checking of the accordance of a requirement that is used for providing trusted host environment and virtual machine (VM), this method may further comprise the steps:
In at least one ciphered data structure, encrypt the storage configuration data related with the trusted host environmental facies;
In response to the step of store configuration data, described at least one ciphered data structure is sent to Control Component;
In response to the step that receives at least one ciphered data structure, analyze described at least one ciphered data structure;
In response to the step of determining described configuration data, described configuration data is compared with requirement; And
In response to determining that described configuration data mates the step of described requirement, admits described VM examining in the trusted host environment.
10. method according to claim 9, wherein said method also comprise, in response to determining the do not match step of described requirement of described configuration data, denies described VM examining in the trusted host environment.
11. according to any described method of claim 9 and 10, wherein said step of encrypting the storage configuration data related with the trusted host environmental facies at least one ciphered data structure is included at least one platform configuration register (PCR) step of the related configuration data of cryptographically storage and trusted host environmental facies.
12. according to any the described method among the claim 9-11, wherein this method also comprises described at least one ciphered data structure step related with another trusted host environmental facies of VM.
13. according to any the described method among the claim 9-12, wherein said trusted host environment comprises credible platform module.
14. according to any the described method among the claim 9-13, also comprise first server that comprises the trusted host environment and the step that the second server that comprises described Control Component is provided are provided.
15. the computer program for the checking of the accordance of the requirement that trusted host environment and virtual machine (VM) are provided, this computer program comprises:
Computer-readable recording medium can read and store for the instruction of being carried out by treatment circuit to carry out according to any described method of claim 9-14 by treatment circuit.
16. computer program that is stored on the computer-readable medium and can be written into the internal storage of digital machine, comprise the software code part, when described program is moved on computers, be used for any described method that enforcement of rights requires 9-14.
CN201180061838.6A 2010-12-21 2011-12-19 Virtual machine verification system and method thereof Active CN103270518B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP10196282.7 2010-12-21
EP10196282 2010-12-21
PCT/EP2011/073259 WO2012084837A1 (en) 2010-12-21 2011-12-19 Virtual machine validation

Publications (2)

Publication Number Publication Date
CN103270518A true CN103270518A (en) 2013-08-28
CN103270518B CN103270518B (en) 2016-01-20

Family

ID=45406749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201180061838.6A Active CN103270518B (en) 2010-12-21 2011-12-19 Virtual machine verification system and method thereof

Country Status (7)

Country Link
US (1) US9081600B2 (en)
JP (1) JP5957004B2 (en)
CN (1) CN103270518B (en)
DE (1) DE112011104496T5 (en)
GB (1) GB2501205A (en)
TW (1) TW201241662A (en)
WO (1) WO2012084837A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104982005A (en) * 2013-01-22 2015-10-14 亚马逊技术有限公司 Privileged cryptographic services in virtualized environment
CN106406970A (en) * 2015-07-29 2017-02-15 罗伯特·博世有限公司 Method and device for securing the application programming interface of a hypervisor
CN106687980A (en) * 2014-09-17 2017-05-17 国际商业机器公司 Hypervisor and virtual machine protection
CN107466464A (en) * 2014-12-23 2017-12-12 迈克菲有限责任公司 Input validation

Families Citing this family (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103124973B (en) 2010-09-22 2015-09-30 国际商业机器公司 The use of interactive component during proving bootup process
US8869264B2 (en) 2010-10-01 2014-10-21 International Business Machines Corporation Attesting a component of a system during a boot process
DE112011103048B4 (en) * 2010-11-18 2021-12-23 International Business Machines Corporation A method of authenticating a variety of data processing systems
TW201241662A (en) * 2010-12-21 2012-10-16 Ibm Virtual machine validation
JP5932837B2 (en) * 2011-01-19 2016-06-08 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Method and system for updating and authenticating code, method and system for testing program integrity
US8954964B2 (en) * 2012-02-27 2015-02-10 Ca, Inc. System and method for isolated virtual image and appliance communication within a cloud environment
US9471355B2 (en) 2012-07-31 2016-10-18 Hewlett-Packard Development Company, L.P. Secure operations for virtual machines
US20140075522A1 (en) * 2012-09-07 2014-03-13 Red Hat, Inc. Reliable verification of hypervisor integrity
US10579405B1 (en) * 2013-03-13 2020-03-03 Amazon Technologies, Inc. Parallel virtual machine managers
US9367339B2 (en) * 2013-07-01 2016-06-14 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
US9384006B2 (en) 2013-10-11 2016-07-05 Globalfoundries Inc. Apparatus and methods for automatically reflecting changes to a computing solution into an image for the computing solution
US10031761B2 (en) * 2013-10-11 2018-07-24 International Business Machines Corporation Pluggable cloud enablement boot device and method
US9354894B2 (en) 2013-10-11 2016-05-31 International Business Machines Corporation Pluggable cloud enablement boot device and method that determines hardware resources via firmware
CN104717235B (en) * 2013-12-11 2018-01-02 铁道部信息技术中心 A kind of resources of virtual machine detection method
US9519498B2 (en) 2013-12-24 2016-12-13 Microsoft Technology Licensing, Llc Virtual machine assurances
US9652631B2 (en) 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access
US9584317B2 (en) 2014-10-13 2017-02-28 Microsoft Technology Licensing, Llc Identifying security boundaries on computing devices
US10229272B2 (en) 2014-10-13 2019-03-12 Microsoft Technology Licensing, Llc Identifying security boundaries on computing devices
US9519787B2 (en) 2014-11-14 2016-12-13 Microsoft Technology Licensing, Llc Secure creation of encrypted virtual machines from encrypted templates
US10068092B2 (en) * 2015-01-21 2018-09-04 Microsoft Technology Licensing, Llc Upgrading a secure boot policy on a virtual machine
CN107533478A (en) * 2015-07-31 2018-01-02 慧与发展有限责任合伙企业 The migration of computer system
US9471367B1 (en) * 2015-12-08 2016-10-18 International Business Machines Corporation Virtual machine usage data collection using securely loaded virtual firmware
CN107533594B (en) 2016-01-21 2021-01-26 慧与发展有限责任合伙企业 Method for verifying software, safety software system and readable storage medium
EP3465434A1 (en) * 2016-06-16 2019-04-10 Google LLC Secure configuration of cloud computing nodes
US11354421B2 (en) 2019-03-08 2022-06-07 International Business Machines Corporation Secure execution guest owner controls for secure interface control

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101071463A (en) * 2007-06-08 2007-11-14 北京飞天诚信科技有限公司 Method and device for virtulizing personal office environment
US20080244569A1 (en) * 2007-03-30 2008-10-02 David Carroll Challener System and Method for Reporting the Trusted State of a Virtual Machine
WO2009051471A2 (en) * 2007-09-20 2009-04-23 Mimos Berhad Trusted computer platform method and system without trust credential

Family Cites Families (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5237668A (en) * 1989-10-20 1993-08-17 International Business Machines Corporation Process using virtual addressing in a non-privileged instruction to control the copying of a page of data in or between multiple media
US7219315B1 (en) * 2003-09-22 2007-05-15 Tenison Technology Eda Limited Comparison of semiconductor circuitry simulations
US7165201B2 (en) * 2003-09-25 2007-01-16 Hitachi Global Storage Technologies Netherlands B.V. Method for performing testing of a simulated storage device within a testing simulation environment
US7340661B2 (en) * 2003-09-25 2008-03-04 Hitachi Global Storage Technologies Netherlands B.V. Computer program product for performing testing of a simulated storage device within a testing simulation environment
US20050154573A1 (en) * 2004-01-08 2005-07-14 Maly John W. Systems and methods for initializing a lockstep mode test case simulation of a multi-core processor design
US7664965B2 (en) * 2004-04-29 2010-02-16 International Business Machines Corporation Method and system for bootstrapping a trusted server having redundant trusted platform modules
GB2424092A (en) * 2005-03-11 2006-09-13 Transitive Ltd Switching between code translation and execution using a trampoline
US9785485B2 (en) * 2005-07-27 2017-10-10 Intel Corporation Virtualization event processing in a layered virtualization architecture
US7356725B2 (en) * 2005-09-09 2008-04-08 International Business Machines Corporation Method and apparatus for adjusting a time of day clock without adjusting the stepping rate of an oscillator
US8015408B2 (en) * 2006-09-14 2011-09-06 Interdigital Technology Corporation Trust evaluation for a mobile software agent on a trusted computing platform
US8612971B1 (en) * 2006-10-17 2013-12-17 Manageiq, Inc. Automatic optimization for virtual systems
US8127292B1 (en) * 2007-06-22 2012-02-28 Parallels Holdings, Ltd. Virtualization system with hypervisor embedded in bios or using extensible firmware interface
US8259948B2 (en) * 2007-12-29 2012-09-04 Intel Corporation Virtual TPM key migration using hardware keys
US8032942B2 (en) * 2007-12-31 2011-10-04 Intel Corporation Configuration of virtual trusted platform module
US8165864B2 (en) * 2008-02-08 2012-04-24 International Business Machines Corporation Method, system and computer program product for verifying address generation, interlocks and bypasses
WO2009107349A1 (en) * 2008-02-25 2009-09-03 パナソニック株式会社 Information processing device
US20100083251A1 (en) * 2008-09-12 2010-04-01 Hyper9, Inc. Techniques For Identifying And Comparing Virtual Machines In A Virtual Machine System
US20100107160A1 (en) * 2008-10-29 2010-04-29 Novell, Inc. Protecting computing assets with virtualization
US8751654B2 (en) * 2008-11-30 2014-06-10 Red Hat Israel, Ltd. Determining the graphic load of a virtual desktop
US7904540B2 (en) * 2009-03-24 2011-03-08 International Business Machines Corporation System and method for deploying virtual machines in a computing environment
US8336050B2 (en) * 2009-08-31 2012-12-18 Red Hat, Inc. Shared memory inter-process communication of virtual machines using virtual synchrony
US8631404B2 (en) * 2010-02-18 2014-01-14 Red Hat Israel, Ltd. Mechanism for downloading hypervisor updates via a virtual hardware device using existing virtual machine-host channels
US8893092B1 (en) * 2010-03-12 2014-11-18 F5 Networks, Inc. Using hints to direct the exploration of interleavings in a multithreaded program
US8812871B2 (en) * 2010-05-27 2014-08-19 Cisco Technology, Inc. Method and apparatus for trusted execution in infrastructure as a service cloud environments
US8856504B2 (en) * 2010-06-07 2014-10-07 Cisco Technology, Inc. Secure virtual machine bootstrap in untrusted cloud infrastructures
US8468007B1 (en) * 2010-08-13 2013-06-18 Google Inc. Emulating a peripheral mass storage device with a portable device
US20120054486A1 (en) * 2010-08-31 2012-03-01 MindTree Limited Securing A Virtual Environment And Virtual Machines
US8869264B2 (en) * 2010-10-01 2014-10-21 International Business Machines Corporation Attesting a component of a system during a boot process
US8819225B2 (en) * 2010-11-15 2014-08-26 George Mason Research Foundation, Inc. Hardware-assisted integrity monitor
US20120131334A1 (en) * 2010-11-18 2012-05-24 International Business Machines Corporation Method for Attesting a Plurality of Data Processing Systems
US20120151209A1 (en) * 2010-12-09 2012-06-14 Bae Systems National Security Solutions Inc. Multilevel security server framework
US10203974B2 (en) * 2010-12-20 2019-02-12 Microsoft Technology Licensing, Llc Probe insertion via background virtual machine
TW201241662A (en) * 2010-12-21 2012-10-16 Ibm Virtual machine validation
US9612855B2 (en) * 2011-01-10 2017-04-04 International Business Machines Corporation Virtual machine migration based on the consent by the second virtual machine running of the target host
US9178833B2 (en) * 2011-10-25 2015-11-03 Nicira, Inc. Chassis controller
US9015025B2 (en) * 2011-10-31 2015-04-21 International Business Machines Corporation Verifying processor-sparing functionality in a simulation environment
US20130117006A1 (en) * 2011-11-07 2013-05-09 Microsoft Corporation Simulated boot process to detect introduction of unauthorized information
US9229524B2 (en) * 2012-06-27 2016-01-05 Intel Corporation Performing local power gating in a processor
KR20140134451A (en) * 2013-05-14 2014-11-24 한국전자통신연구원 Test environment setting apparatus and, method for network simulation apparatus using the same
US9407580B2 (en) * 2013-07-12 2016-08-02 Nicira, Inc. Maintaining data stored with a packet
US9785454B2 (en) * 2013-07-25 2017-10-10 Login VSI B.V. Virtual session benchmarking tool for measuring performance and/or scalability of centralized desktop environments

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080244569A1 (en) * 2007-03-30 2008-10-02 David Carroll Challener System and Method for Reporting the Trusted State of a Virtual Machine
CN101071463A (en) * 2007-06-08 2007-11-14 北京飞天诚信科技有限公司 Method and device for virtulizing personal office environment
WO2009051471A2 (en) * 2007-09-20 2009-04-23 Mimos Berhad Trusted computer platform method and system without trust credential

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104982005A (en) * 2013-01-22 2015-10-14 亚马逊技术有限公司 Privileged cryptographic services in virtualized environment
CN106687980A (en) * 2014-09-17 2017-05-17 国际商业机器公司 Hypervisor and virtual machine protection
US10409978B2 (en) 2014-09-17 2019-09-10 International Business Machines Corporation Hypervisor and virtual machine protection
CN106687980B (en) * 2014-09-17 2019-10-11 国际商业机器公司 Management program and virtual machine protection
CN107466464A (en) * 2014-12-23 2017-12-12 迈克菲有限责任公司 Input validation
CN106406970A (en) * 2015-07-29 2017-02-15 罗伯特·博世有限公司 Method and device for securing the application programming interface of a hypervisor

Also Published As

Publication number Publication date
JP2014505924A (en) 2014-03-06
US9081600B2 (en) 2015-07-14
WO2012084837A1 (en) 2012-06-28
JP5957004B2 (en) 2016-07-27
CN103270518B (en) 2016-01-20
US20140025961A1 (en) 2014-01-23
GB201312923D0 (en) 2013-09-04
GB2501205A (en) 2013-10-16
DE112011104496T5 (en) 2013-10-17
TW201241662A (en) 2012-10-16

Similar Documents

Publication Publication Date Title
CN103270518B (en) Virtual machine verification system and method thereof
US9501665B2 (en) Method and apparatus for remotely provisioning software-based security coprocessors
KR100930218B1 (en) Method, apparatus and processing system for providing a software-based security coprocessor
US8074262B2 (en) Method and apparatus for migrating virtual trusted platform modules
KR101662618B1 (en) Measuring platform components with a single trusted platform module
US7571312B2 (en) Methods and apparatus for generating endorsement credentials for software-based security coprocessors
US7636442B2 (en) Method and apparatus for migrating software-based security coprocessors
CN1997955B (en) Method and apparatus for providing secure virtualization of a trusted platform module
CN101523401B (en) Secure use of user secrets on a computing platform
US20070016801A1 (en) Method, apparatus, and product for establishing virtual endorsement credentials for dynamically generated endorsement keys in a trusted computing platform
CN109669734A (en) Method and apparatus for starting device
CN104871174A (en) Boot mechanisms for 'bring your own' management
US20230106491A1 (en) Security dominion of computing device
Petrlic Integrity protection for automated teller machines
Qiu et al. Integrity Measurement Model Based on Trusted Virtual Platform
CN114661411A (en) Provisioning secure/encrypted virtual machines in cloud infrastructure
Kursawe The future of trusted computing: An outlook

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant